8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
Deploying a fault-tolerant Microso� Active Directory environment
This tutorial is the �rst part of a series that helps you deploy a highly available Windows architecture on Google Cloud with Microsoft Active Directory, SQL Server, and Internet Information Services (IIS). In this tutorial, you set up a redundant pair of Windows domain controllers with Active Directory using a new Virtual Private Cloud (VPC) network and multiple subnets.
The series consists of these tutorials:
Deploying a fault-tolerant Microsoft Active Directory environment (this document)
Deploying a multi-subnet SQL Server (/solutions/deploy-multi-subnet-sql-server)
Deploying load-balanced IIS web servers (/solutions/deploy-load-balanced-iis-web-servers)
Each tutorial builds on the infrastructure that you create in the preceding one.
You can also use this tutorial to learn to set up an Active Directory con�guration for use in other architectures. This guide does not cover replicating a remote Active Directory environment to the new Google Cloud- based Active Directory environment, although this is possible with Cloud VPN and additional Active Directory con�guration.
Architecture
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 1/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
Objectives
Create a custom mode VPC network with two subnets spanning two zones.
Create Windows Server virtual instances and enable Active Directory Domain Services.
Con�gure a new domain with Active Directory.
Join the new Windows Server instances to the new domain.
Con�gure �rewall rules to allow tra�c to the virtual machines.
Test the con�guration.
Costs
This tutorial uses billable components of Google Cloud, including:
Compute Engine (/compute)
Persistent Disk (/persistent-disk)
The Pricing Calculator (/products/calculator#id=f1e0652a-76e4-402d-8694-b73681607893) estimates the cost of this environment at around $4 per day.
Before you begin
1. In the Cloud Console, on the project selector page, select or create a Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you �nish these steps, you can delete the project, removing all resources associated with the project.
Go to the project selector page (https://console.cloud.google.com/projectselector2/home/dashboar
2. Make sure that billing is enabled for your Google Cloud project. Learn how to con�rm billing is enabled for your project (/billing/docs/how-to/modify-project).
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 2/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
3. Enable the Compute Engine API.
Enable the API (https://console.cloud.google.com/�ows/enableapi?apiid=compute)
Initializing common variables
You must de�ne several environment variables that control where elements of the infrastructure are deployed.
1. Go to Cloud Shell.
Open Cloud Shell (https://console.cloud.google.com/cloudshell)
2. In Cloud Shell, create the following environment variables to set values that you need later in the tutorial.
The commands set the region to us-east-1. You can use a different region, but remember the region that you use so you can use the same region in the subsequent tutorials.
export region=us-east1 export zone_1=${region}-b export zone_2=${region}-c export vpc_name=webappnet export project_id=your-project-id
Replace your-project-id with the ID of the Google Cloud project that you're using.
3. Run the following commands to set the default region and project ID so you don't have to specify these values in every subsequent command:
gcloud config set compute/region ${region} gcloud config set project ${project_id}
Creating the network infrastructure
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 3/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
After you've de�ned the infrastructure variables, it's time to create the network and subnets that Active Directory will use.
1. In Cloud Shell, run the following command to create the VPC network:
gcloud compute networks create ${vpc_name} \ --description "VPC network to deploy Active Directory" \ --subnet-mode custom
You see the following warning, which you can ignore, because you create these �rewall rules in later steps.
Instances on this network will not be reachable until firewall rules are created.
2. Add two subnets to the VPC network:
gcloud compute networks subnets create private-ad-zone-1 \ --network ${vpc_name} \ --range 10.1.0.0/24
gcloud compute networks subnets create private-ad-zone-2 \ --network ${vpc_name} \ --range 10.2.0.0/24
3. Create an internal �rewall rule to allow tra�c between subnets:
gcloud compute firewall-rules create allow-internal-ports-private-ad \ --network ${vpc_name} \ --allow tcp:1-65535,udp:1-65535,icmp \ --source-ranges 10.1.0.0/24,10.2.0.0/24
Note: In a production environment, it's a best practice to secure all the ports that your systems are not actively using. It's also a best practice to secure access to your machines using a bastion host
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 4/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
(/solutions/connecting-securely#bastion).
4. Create a �rewall rule to allow an RDP connection on port 3389 from any location:
gcloud compute firewall-rules create allow-rdp \ --network ${vpc_name} \ --allow tcp:3389 \ --source-ranges 0.0.0.0/0
Creating the �rst domain controller
Next you create a domain controller that has the following properties:
Name: ad-dc1
IP Address: 10.1.0.100
1. Create a Compute Engine instance of Windows Server 2016 to use as the �rst domain controller:
gcloud compute instances create ad-dc1 --machine-type n1-standard-2 \ --boot-disk-type pd-ssd \ --boot-disk-size 50GB \ --image-family windows-2016 --image-project windows-cloud \ --network ${vpc_name} \ --zone ${zone_1} --subnet private-ad-zone-1 \ --private-network-ip=10.1.0.100
Note: You can increase the boot disk size based on your expected needs.
2. Wait approximately one minute, and then create a password for the Windows instance ad-dc1:
gcloud compute reset-windows-password ad-dc1 --zone ${zone_1} --quiet
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 5/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
The username is your Google account username. Note the username and password for future use.
Note: If the instance is not ready to accept the request, you see the following error message. If so, retry the command in a few minutes.
ERROR: (gcloud.compute.reset-windows-password) The instance may not be ready for use. This can occur if the instance was recently created or if the instance is not running Windows. Please wait a few minutes and try again.
3. Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
4. Open a PowerShell terminal as Administrator. (Click Start, type PowerShell, and then press Shift+Ctrl+Enter.)
5. Set the Windows credentials for the Administrator account:
net user Administrator *
Note: To paste commands into a PowerShell terminal, press Alt+Space+P.
You're prompted to create a password. Use a strong password, and store the password in safe location for future use.
The Administrator account will become a domain admin account after you've created the Active Directory forest (https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx) with it.
6. Enable the account:
net user Administrator /active:yes
7. Install Active Directory Domain Services, including Management Tools:
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 6/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
8. Set the following variables:
$DomainName = "example-gcp.com" $DomainMode = "7" $ForestMode = "7" $DatabasePath = "C:\Windows\NTDS" $SysvolPath = "C:\Windows\SYSVOL" $LogPath = "C:\Logs"
9. Install the new Active Directory forest con�guration in Windows Server 2016 mode:
Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath $DatabasePath ` -LogPath $LogPath ` -SysvolPath $SysvolPath ` -DomainName $DomainName ` -DomainMode $DomainMode ` -ForestMode $ForestMode ` -InstallDNS:$true ` -NoRebootOnCompletion:$true ` -Force:$true
10. When you're prompted, enter a Safe Mode Administrator password. Store the password in a safe location for future use.
11. Dismiss the following warnings. Each warning will appear two times, once during prerequisites veri�cation and a second time during the installation process.
WARNING: Windows Server 2016 domain controllers have a default for the security setting named Allow cryptography algorithms compatible with Windows NT 4.0 that prevents weaker cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 7/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "example-gcp.com". Otherwise, no action is required.
12. Restart the virtual machine:
Restart-Computer
13. Use RDP to connect to domain controller ad-dc1 with the Administrator credentials you de�ned during the Active Directory forest installation. Remember to add the domain name as a pre�x, as in EXAMPLE-GCP\Administrator.
Note: If you are using the Chrome RDP client, you might see the following warning about the certi�cate. Follow the instructions to connect.
WARNING Someone could be trying to intercept your communication. To connect anyway select Chrome RDP Options, select the Certificates tab, select the
14. Open a PowerShell terminal as Administrator.
15. Set the following variables:
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 8/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
$DNSPrimary = "10.2.0.100" $DNSSecondary = "127.0.0.1" $LocalStaticIp = "10.1.0.100" $DefaultGateway = "10.1.0.1"
16. Set the IP address and default gateway:
netsh interface ip set address name=Ethernet static ` $LocalStaticIp 255.255.255.0 $DefaultGateway 1
Note: RDP might lose connectivity for a few seconds or require you to reconnect.
17. Con�gure the primary DNS server:
netsh interface ip set dns Ethernet static $DNSPrimary
DNS server ad-dc2 will be available only after the second domain controller is deployed, so you can ignore the following error message:
The configured DNS server is incorrect or does not exist.
Note: You con�gure the DNS servers after the Active Directory forest installation. Installing the forest overwrites the post-installation values with the IP addresses of the domain controllers ac-dc1 and ad-dc2. You set up the ac-dc2 domain controller later in this tutorial.
18. Con�gure the secondary DNS server:
netsh interface ip add dns Ethernet $DNSSecondary index=2
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 9/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
The DNS server entry for this domain controller, ad-dc1, should be second in the list in order to prevent Active Directory from frequently losing connection with the other controller. Use the second domain controller, ad-dc2, as the primary DNS server. You create the ad-dc2 domain controller in the next section. If you don't follow this pattern, the following errors appear under Server Manager > Active Directory Domain Services:
The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
You might see errors on the ad-dc1 server before both servers are fully con�gured. You can ignore these errors.
Creating the second domain controller
Next you create a second domain controller in a different zone to provide fault tolerance. The second domain controller has the following properties:
Name: ad-dc2
IP Address: 10.2.0.100
1. If your Cloud Shell window has expired, open a new Cloud Shell instance and reset the variables you set earlier. To do that, edit the following script to specify the project ID and region that you used earlier.
region=us-east1 zone_2=${region}-c zone_1=${region}-b vpc_name=webappnet project_id=your-project-id
gcloud config set compute/region ${region} gcloud config set project ${project_id}
Replace your-project-id with the ID of the Cloud project that you're using.
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 10/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
2. Copy the script into your Cloud Shell window and run it.
3. Use Cloud Shell to create the second domain controller instance:
gcloud compute instances create ad-dc2 --machine-type n1-standard-2 \ --boot-disk-size 50GB \ --boot-disk-type pd-ssd \ --image-family windows-2016 --image-project windows-cloud \ --can-ip-forward \ --network ${vpc_name} \ --zone ${zone_2} \ --subnet private-ad-zone-2 \ --private-network-ip=10.2.0.100
4. Wait approximately one minute, and then create a password for the Windows instance ad-dc2:
gcloud compute reset-windows-password ad-dc2 --zone ${zone_2} --quiet
The username is your Google account username. Note the username and password for future use.
5. Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
6. Open a PowerShell terminal as Administrator.
7. Install Active Directory Domain Services, including Management Tools:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
8. Set the following variables:
$DomainName = "example-gcp.com" $DomainPrefix = "EXAMPLE-GCP" $DNSPrimary = "10.1.0.100" $DNSSecondary = "127.0.0.1"
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 11/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
$LocalStaticIp = "10.2.0.100" $DefaultGateway = "10.2.0.1" $DatabasePath = "C:\Windows\NTDS" $SysvolPath = "C:\Windows\SYSVOL" $LogPath = "C:\Logs"
9. Con�gure the primary DNS server:
netsh interface ip set dns Ethernet static $DNSPrimary
10. Con�gure the second server so that it acts as its own secondary DNS server:
netsh interface ip add dns Ethernet $DNSSecondary index=2
The ad-dc2 DNS server will be available only after ad-dc2 is joined to the domain as a domain controller. Because the server hasn't been joined yet, you see the following message, but you can ignore it:
The configured DNS server is incorrect or does not exist.
11. Set the IP address and default gateway:
netsh interface ip set address name=Ethernet static ` $LocalStaticIp 255.255.255.0 $DefaultGateway 1
Note: RDP might lose connectivity for a few seconds or require you to reconnect.
12. Run the following PowerShell script, which will let you know when the �rst domain controller becomes operational. Wait until you see the Domain controller is reachable message.
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 12/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
$DomainIsReady=$False For ($i=0; $i -le 30; $i++) { nltest /dsgetdc:$DomainName if($LASTEXITCODE -ne 0) { Write-Host "Domain not ready, wait 1 more minute, then retry" Start-Sleep -s 60 } else { $DomainIsReady=$True Write-Host "Domain controller is reachable" break } } if($DomainIsReady -eq $False) { Write-Host "Domain not ready. Check if it was deployed ok" }
13. Add the virtual machine to the forest as a second domain controller:
Install-ADDSDomainController ` -Credential (Get-Credential "$DomainPrefix\Administrator") ` -CreateDnsDelegation:$false ` -DatabasePath $DatabasePath ` -DomainName $DomainName ` -InstallDns:$true ` -LogPath $LogPath ` -SysvolPath $SysvolPath ` -NoGlobalCatalog:$false ` -SiteName 'Default-First-Site-Name' ` -NoRebootOnCompletion:$true ` -Force:$true
14. When you're prompted to provide a password for the Administrator account, use the Administrator credentials you de�ned during Active Directory forest installation. Add the domain name as a pre�x, as in EXAMPLE-GCP\Administrator.
15. When you're prompted to enter a Safe Mode Administrator password, use the same password you used for the �rst domain controller.
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 13/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
16. Ignore the following warnings. Each warning appears twice: once during prerequisites veri�cation, and a second time during the installation process.
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "example-gcp.com". Otherwise, no action is required.
17. Restart the virtual machine:
Restart-Computer
Testing the installation
1. Wait 5 to 10 minutes to make sure that both domain controllers are operational and are replicating information.
2. Using RDP, connect to the �rst domain controller instance using the Administrator credentials you de�ned during the �rst domain controller installation. Add the domain name as a pre�x, as in EXAMPLE-GCP\Administrator.
3. Open a PowerShell terminal as Administrator.
4. Test that replication is working:
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 14/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
repadmin /replsum
Note: For more information, read about replication and topology management in Active Directory (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/powershell/advanced- active-directory-replication-and-topology-management-using-windows-powershell--level-200- #BKMK_Repl) .
The output should resemble the following, with no errors or failures.
If the domain controller is not available, you see a message like the following:
Beginning data collection for replication summary, this may take awhile:
.... Source DSA largest delta fails/total %% error
Destination DSA largest delta fails/total %% error
If you see this message, wait a couple of minutes and then retry the command.
Cleaning up
If you want to continue to the next tutorial in this series (Deploying a multi-subnet SQL Server (/solutions/deploy-multi-subnet-sql-server)), keep the resources that you created in this tutorial. However, if you don't intend to use the Active Directory environment that you created in this
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 15/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
tutorial, go ahead and clean up the resources you created on Google Cloud so you won't be billed for them. The following sections describe how to delete or turn off these resources.
Deleting the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
Caution: Deleting a project has the following effects:
Everything in the project is deleted. If you used an existing project for this tutorial, when you delete it, you also delete any other work you've done in the project.
Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as an appspot.com URL, delete selected resources inside the project instead of deleting the whole project.
If you plan to explore multiple tutorials and quickstarts, reusing projects can help you avoid exceeding project quota limits.
1. In the Cloud Console, go to the Manage resources page.
Go to the Manage resources page (https://console.cloud.google.com/iam-admin/projects)
2. In the project list, select the project that you want to delete and then click Delete .
3. In the dialog, type the project ID and then click Shut down to delete the project.
Deleting instances
To delete a Compute Engine instance:
1. In the Cloud Console, go to the VM Instances page.
Go to the VM Instances page (https://console.cloud.google.com/compute/instances)
2. Click the checkbox for the instance you want to delete.
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 16/17 8/23/2020 Deploying a fault-tolerant Microsoft Active Directory environment
3. Click Delete to delete the instance.
Deleting VPC networks
To delete the VPC network, subnets, and �rewall rules:
1. In the Cloud Console, go to the VPC networks page.
Go to VPC networks page (https://console.cloud.google.com/networking/networks/list)
2. Select the VPC network you created.
3. Click the Delete button at the top of the page.
What's next
Continue to the next tutorials in this series:
Deploying a multi-subnet SQL Server (/solutions/deploy-multi-subnet-sql-server)
Deploying load-balanced IIS web servers (/solutions/deploy-load-balanced-iis-web-servers)
Learn more about patterns for using Active Directory in a hybrid environment (/solutions/patterns-for-using-active-directory-in-a-hybrid-environment).
Review best practices for enterprise organizations (/docs/enterprise/best-practices-for-enterprise-organizations).
Try out other Google Cloud features for yourself. Have a look at our tutorials (/docs/tutorials).
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License (https://creativecommons.org/licenses/by/4.0/), and code samples are licensed under the Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0). For details, see the Google Developers Site Policies (https://developers.google.com/site-policies). Java is a registered trademark of Oracle and/or its a�liates.
Last updated 2020-06-22 UTC.
https://cloud.google.com/solutions/deploy-fault-tolerant-active-directory-environment 17/17